(1) If misuse or an unauthorized disclosure of records or information deemed private and confidential under chapter 50A.25 RCW occurs, each party involved in the data-sharing that is aware of the misuse or unauthorized disclosure must inform the department within two business days of the discovery of the data security breach.

(2) In addition to informing the department of the misuse or unauthorized disclosure, the party responsible for the disclosure must take all reasonably available actions to rectify the disclosure to the department's standards. In most cases, these actions will include, at a minimum:

(a) Ceasing any continued release;

(b) Informing all individual whose data may have been released improperly of the situation; and

(c) Providing identity protection mechanisms at no charge to the individuals whose data may have been released.